draft-ietf-i2nsf-nsf-monitoring-data-model-07.txt   draft-ietf-i2nsf-nsf-monitoring-data-model-08.txt 
Network Working Group J. Jeong, Ed. Network Working Group J. Jeong, Ed.
Internet-Draft P. Lingga Internet-Draft P. Lingga
Intended status: Standards Track Sungkyunkwan University Intended status: Standards Track Sungkyunkwan University
Expires: October 2, 2021 S. Hares Expires: October 31, 2021 S. Hares
L. Xia L. Xia
Huawei Huawei
H. Birkholz H. Birkholz
Fraunhofer SIT Fraunhofer SIT
March 31, 2021 April 29, 2021
I2NSF NSF Monitoring Interface YANG Data Model I2NSF NSF Monitoring Interface YANG Data Model
draft-ietf-i2nsf-nsf-monitoring-data-model-07 draft-ietf-i2nsf-nsf-monitoring-data-model-08
Abstract Abstract
This document proposes an information model and the corresponding This document proposes an information model and the corresponding
YANG data model of an interface for monitoring Network Security YANG data model of an interface for monitoring Network Security
Functions (NSFs) in the Interface to Network Security Functions Functions (NSFs) in the Interface to Network Security Functions
(I2NSF) framework. If the monitoring of NSFs is performed with the (I2NSF) framework. If the monitoring of NSFs is performed with the
NSF monitoring interface in a comprehensive way, it is possible to NSF monitoring interface in a comprehensive way, it is possible to
detect the indication of malicious activity, anomalous behavior, the detect the indication of malicious activity, anomalous behavior, the
potential sign of denial of service attacks, or system overload in a potential sign of denial of service attacks, or system overload in a
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 2, 2021. This Internet-Draft will expire on October 31, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 17 skipping to change at page 3, line 17
7.5.1. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 20 7.5.1. DPI Log . . . . . . . . . . . . . . . . . . . . . . . 20
7.5.2. Vulnerability Scanning Log . . . . . . . . . . . . . 21 7.5.2. Vulnerability Scanning Log . . . . . . . . . . . . . 21
7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 21 7.6. System Counter . . . . . . . . . . . . . . . . . . . . . 21
7.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21 7.6.1. Interface Counter . . . . . . . . . . . . . . . . . . 21
7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22 7.7. NSF Counters . . . . . . . . . . . . . . . . . . . . . . 22
7.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22 7.7.1. Firewall Counter . . . . . . . . . . . . . . . . . . 22
7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 24 7.7.2. Policy Hit Counter . . . . . . . . . . . . . . . . . 24
8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24 8. NSF Monitoring Management in I2NSF . . . . . . . . . . . . . 24
9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25 9. Tree Structure . . . . . . . . . . . . . . . . . . . . . . . 25
10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 33 10. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 33
11. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 73 11. I2NSF Event Stream . . . . . . . . . . . . . . . . . . . . . 74
12. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 74 12. XML Examples for I2NSF NSF Monitoring . . . . . . . . . . . . 75
12.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 74 12.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 75
12.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 76 12.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 77
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 77 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 78
14. Security Considerations . . . . . . . . . . . . . . . . . . . 78 14. Security Considerations . . . . . . . . . . . . . . . . . . . 79
15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 79 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 80
16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 79 16. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 80
17. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 81
17.1. Normative References . . . . . . . . . . . . . . . . . . 80 17.1. Normative References . . . . . . . . . . . . . . . . . . 81
17.2. Informative References . . . . . . . . . . . . . . . . . 83 17.2. Informative References . . . . . . . . . . . . . . . . . 84
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data- Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-
model-06 . . . . . . . . . . . . . . . . . . . . . . 85 model-07 . . . . . . . . . . . . . . . . . . . . . . 86
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 86
1. Introduction 1. Introduction
According to [RFC8329], the interface provided by a Network Security According to [RFC8329], the interface provided by a Network Security
Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus Function (NSF) (e.g., Firewall, IPS, Anti-DDoS, or Anti-Virus
function) to administrative entities (e.g., Security Controller) to function) to administrative entities (e.g., Security Controller) to
enable remote management (i.e., configuring and monitoring) is enable remote management (i.e., configuring and monitoring) is
referred to as an I2NSF Monitoring Interface. Monitoring procedures referred to as an I2NSF Monitoring Interface. Monitoring procedures
intent to acquire vital types of data with respect to NSFs, (e.g., intent to acquire vital types of data with respect to NSFs, (e.g.,
alarms, records, and counters) via data in motion (e.g., queries, alarms, records, and counters) via data in motion (e.g., queries,
skipping to change at page 25, line 48 skipping to change at page 25, line 48
level policy) is applied to an NSF via NSF-Facing Interface. The level policy) is applied to an NSF via NSF-Facing Interface. The
monitoring data model for an NSF specifies the list of events that monitoring data model for an NSF specifies the list of events that
can trigger Event-Condition-Action (ECA) policies via NSF can trigger Event-Condition-Action (ECA) policies via NSF
Monitoring Interface. Monitoring Interface.
9. Tree Structure 9. Tree Structure
The tree structure of the NSF monitoring YANG module is provided The tree structure of the NSF monitoring YANG module is provided
below: below:
module: ietf-i2nsf-nsf-monitoring module: ietf-i2nsf-nsf-monitoring
+--ro i2nsf-counters +--ro i2nsf-counters
| +--ro system-interface* [interface-name] | +--ro system-interface* [interface-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro interface-name string | | +--ro interface-name string
| | +--ro in-total-traffic-pkts? yang:counter32 | | +--ro in-total-traffic-pkts? yang:counter32
| | +--ro out-total-traffic-pkts? yang:counter32 | | +--ro out-total-traffic-pkts? yang:counter32
| | +--ro in-total-traffic-bytes? uint64 | | +--ro in-total-traffic-bytes? uint64
| | +--ro out-total-traffic-bytes? uint64 | | +--ro out-total-traffic-bytes? uint64
| | +--ro in-drop-traffic-pkts? yang:counter32 | | +--ro in-drop-traffic-pkts? yang:counter32
| | +--ro out-drop-traffic-pkts? yang:counter32 | | +--ro out-drop-traffic-pkts? yang:counter32
| | +--ro in-drop-traffic-bytes? uint64 | | +--ro in-drop-traffic-bytes? uint64
| | +--ro out-drop-traffic-bytes? uint64 | | +--ro out-drop-traffic-bytes? uint64
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint32 | | +--ro in-traffic-average-speed? uint32
| | +--ro in-traffic-peak-speed? uint32 | | +--ro in-traffic-peak-speed? uint32
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint32 | | +--ro out-traffic-average-speed? uint32
| | +--ro out-traffic-peak-speed? uint32 | | +--ro out-traffic-peak-speed? uint32
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--ro nsf-firewall* [policy-name] | +--ro nsf-firewall* [policy-name]
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro policy-name | | +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy/system-policy-name -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name
| | +--ro src-user? string | | +--ro src-user? string
| | +--ro total-traffic? yang:counter32 | | +--ro total-traffic? yang:counter32
| | +--ro in-traffic-average-rate? uint32 | | +--ro in-traffic-average-rate? uint32
| | +--ro in-traffic-peak-rate? uint32 | | +--ro in-traffic-peak-rate? uint32
| | +--ro in-traffic-average-speed? uint32 | | +--ro in-traffic-average-speed? uint32
| | +--ro in-traffic-peak-speed? uint32 | | +--ro in-traffic-peak-speed? uint32
| | +--ro out-traffic-average-rate? uint32 | | +--ro out-traffic-average-rate? uint32
| | +--ro out-traffic-peak-rate? uint32 | | +--ro out-traffic-peak-rate? uint32
| | +--ro out-traffic-average-speed? uint32 | | +--ro out-traffic-average-speed? uint32
| | +--ro out-traffic-peak-speed? uint32 | | +--ro out-traffic-peak-speed? uint32
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--ro nsf-policy-hits* [policy-name] | +--ro nsf-policy-hits* [policy-name]
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro policy-name | +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy/system-policy-name -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name
| +--ro src-user? string | +--ro src-user? string
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
| +--ro hit-times? yang:counter32 | +--ro hit-times? yang:counter32
+--rw i2nsf-monitoring-configuration +--rw i2nsf-monitoring-configuration
+--rw i2nsf-system-detection-alarm +--rw i2nsf-system-detection-alarm
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw system-alarm* [alarm-type] | +--rw system-alarm* [alarm-type]
| +--rw alarm-type enumeration | +--rw alarm-type enumeration
| +--rw threshold? uint8 | +--rw threshold? uint8
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-detection-event +--rw i2nsf-system-detection-event
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-traffic-flows +--rw i2nsf-traffic-flows
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
| +--rw enabled? boolean | +--rw enabled? boolean
+--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}? +--rw i2nsf-nsf-detection-ddos {i2nsf-nsf-detection-ddos}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-session-table-configuration +--rw i2nsf-nsf-detection-session-table-configuration
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-virus {i2nsf-nsf-detection-virus}? +--rw i2nsf-nsf-detection-virus {i2nsf-nsf-detection-virus}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-intrusion +--rw i2nsf-nsf-detection-intrusion
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-botnet {i2nsf-nsf-detection-botnet}? +--rw i2nsf-nsf-detection-botnet {i2nsf-nsf-detection-botnet}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-detection-web-attack +--rw i2nsf-nsf-detection-web-attack
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-system-access-log +--rw i2nsf-nsf-system-access-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-res-util-log +--rw i2nsf-system-res-util-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-system-user-activity-log +--rw i2nsf-system-user-activity-log
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}? +--rw i2nsf-nsf-log-dpi {i2nsf-nsf-log-dpi}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-nsf-log-vuln-scan {i2nsf-nsf-log-vuln-scan}? +--rw i2nsf-nsf-log-vuln-scan {i2nsf-nsf-log-vuln-scan}?
| +--rw enabled? boolean | +--rw enabled? boolean
| +--rw dampening-period? uint32 | +--rw dampening-period? uint32
+--rw i2nsf-counter +--rw i2nsf-counter
+--rw period? uint16 +--rw period? uint16
notifications: notifications:
+---n i2nsf-event +---n i2nsf-event
| +--ro (sub-event-type)? | +--ro (sub-event-type)?
| +--:(i2nsf-system-detection-alarm) | +--:(i2nsf-system-detection-alarm)
| | +--ro i2nsf-system-detection-alarm | | +--ro i2nsf-system-detection-alarm
| | +--ro alarm-category? identityref | | +--ro alarm-category? identityref
| | +--ro component-name? string | | +--ro component-name? string
| | +--ro interface-name? string | | +--ro interface-name? string
| | +--ro interface-state? enumeration | | +--ro interface-state? enumeration
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro usage? uint8 | | +--ro usage? uint8
| | +--ro threshold? uint8 | | +--ro threshold? uint8
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-detection-event) | +--:(i2nsf-system-detection-event)
| | +--ro i2nsf-system-detection-event | | +--ro i2nsf-system-detection-event
| | +--ro event-category? identityref | | +--ro event-category? identityref
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro user string | | +--ro user string
| | +--ro group string | | +--ro group string
| | +--ro login-ip-addr inet:ip-address | | +--ro login-ip-addr inet:ip-address
| | +--ro authentication? identityref | | +--ro authentication? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-traffic-flows) | +--:(i2nsf-traffic-flows)
| | +--ro i2nsf-traffic-flows | | +--ro i2nsf-traffic-flows
| | +--ro src-ip? inet:ip-address | | +--ro src-ip? inet:ip-address
| | +--ro dst-ip? inet:ip-address | | +--ro dst-ip? inet:ip-address
| | +--ro protocol? identityref | | +--ro protocol? identityref
| | +--ro src-port? inet:port-number | | +--ro src-port? inet:port-number
| | +--ro dst-port? inet:port-number | | +--ro dst-port? inet:port-number
| | +--ro arrival-rate? uint32 | | +--ro arrival-rate? uint32
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-nsf-detection-session-table) | +--:(i2nsf-nsf-detection-session-table)
| +--ro i2nsf-nsf-detection-session-table | +--ro i2nsf-nsf-detection-session-table
| +--ro current-session? uint32 | +--ro current-session? uint32
| +--ro maximum-session? uint32 | +--ro maximum-session? uint32
| +--ro threshold? uint32 | +--ro threshold? uint32
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+---n i2nsf-log +---n i2nsf-log
| +--ro (sub-logs-type)? | +--ro (sub-logs-type)?
| +--:(i2nsf-nsf-system-access-log) | +--:(i2nsf-nsf-system-access-log)
| | +--ro i2nsf-nsf-system-access-log | | +--ro i2nsf-nsf-system-access-log
| | +--ro login-ip inet:ip-address | | +--ro login-ip inet:ip-address
| | +--ro administrator? string | | +--ro administrator? string
| | +--ro login-mode? login-mode | | +--ro login-mode? login-mode
| | +--ro operation-type? operation-type | | +--ro operation-type? operation-type
| | +--ro result? string | | +--ro result? string
| | +--ro content? string | | +--ro content? string
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-res-util-log) | +--:(i2nsf-system-res-util-log)
| | +--ro i2nsf-system-res-util-log | | +--ro i2nsf-system-res-util-log
| | +--ro system-status? string | | +--ro system-status? string
| | +--ro cpu-usage? uint8 | | +--ro cpu-usage? uint8
| | +--ro memory-usage? uint8 | | +--ro memory-usage? uint8
| | +--ro disk-usage? uint8 | | +--ro disk-usage? uint8
| | +--ro disk-left? uint8 | | +--ro disk-left? uint8
| | +--ro session-num? uint8 | | +--ro session-num? uint8
| | +--ro process-num? uint8 | | +--ro process-num? uint8
| | +--ro in-traffic-rate? uint32 | | +--ro in-traffic-rate? uint32
| | +--ro out-traffic-rate? uint32 | | +--ro out-traffic-rate? uint32
| | +--ro in-traffic-speed? uint32 | | +--ro in-traffic-speed? uint32
| | +--ro out-traffic-speed? uint32 | | +--ro out-traffic-speed? uint32
| | +--ro acquisition-method? identityref | | +--ro acquisition-method? identityref
| | +--ro emission-type? identityref | | +--ro emission-type? identityref
| | +--ro dampening-type? identityref | | +--ro dampening-type? identityref
| | +--ro message? string | | +--ro message? string
| | +--ro vendor-name? string | | +--ro vendor-name? string
| | +--ro nsf-name? string | | +--ro nsf-name? string
| | +--ro severity? severity | | +--ro severity? severity
| +--:(i2nsf-system-user-activity-log) | +--:(i2nsf-system-user-activity-log)
| +--ro i2nsf-system-user-activity-log | +--ro i2nsf-system-user-activity-log
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro user string | +--ro user string
| +--ro group string | +--ro group string
| +--ro login-ip-addr inet:ip-address | +--ro login-ip-addr inet:ip-address
| +--ro authentication? identityref | +--ro authentication? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
| +--ro access? identityref | +--ro access? identityref
| +--ro online-duration? string | +--ro online-duration? string
| +--ro logout-duration? string | +--ro logout-duration? string
| +--ro additional-info? string | +--ro additional-info? string
+---n i2nsf-nsf-event +---n i2nsf-nsf-event
+--ro (sub-event-type)? +--ro (sub-event-type)?
+--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}?
| +--ro i2nsf-nsf-detection-ddos | +--ro i2nsf-nsf-detection-ddos
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro start-time yang:date-and-time | +--ro start-time yang:date-and-time
| +--ro end-time yang:date-and-time | +--ro end-time yang:date-and-time
| +--ro attack-src-ip? inet:ip-address | +--ro attack-src-ip? inet:ip-address
| +--ro attack-dst-ip? inet:ip-address | +--ro attack-dst-ip? inet:ip-address
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint32
| +--ro action? log-action | +--ro action? log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-virus) {i2nsf-nsf-detection-virus}? +--:(i2nsf-nsf-detection-virus) {i2nsf-nsf-detection-virus}?
| +--ro i2nsf-nsf-detection-virus | +--ro i2nsf-nsf-detection-virus
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro virus? identityref | +--ro virus? identityref
| +--ro virus-name? string | +--ro virus-name? string
| +--ro file-type? string | +--ro file-type? string
| +--ro file-name? string | +--ro file-name? string
| +--ro os? string | +--ro os? string
| +--ro action? log-action | +--ro action? log-action
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-intrusion) +--:(i2nsf-nsf-detection-intrusion)
{i2nsf-nsf-detection-intrusion}? {i2nsf-nsf-detection-intrusion}?
| +--ro i2nsf-nsf-detection-intrusion | +--ro i2nsf-nsf-detection-intrusion
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro app? string | +--ro app? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro action? log-action | +--ro action? log-action
| +--ro attack-rate? uint32 | +--ro attack-rate? uint32
| +--ro attack-speed? uint32 | +--ro attack-speed? uint32
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-botnet) +--:(i2nsf-nsf-detection-botnet)
{i2nsf-nsf-detection-botnet}? {i2nsf-nsf-detection-botnet}?
| +--ro i2nsf-nsf-detection-botnet | +--ro i2nsf-nsf-detection-botnet
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro botnet-name? string | +--ro botnet-name? string
| +--ro role? string | +--ro role? string
| +--ro action? log-action | +--ro action? log-action
| +--ro botnet-pkt-num? uint8 | +--ro botnet-pkt-num? uint8
| +--ro os? string | +--ro os? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-detection-web-attack) +--:(i2nsf-nsf-detection-web-attack)
{i2nsf-nsf-detection-web-attack}? {i2nsf-nsf-detection-web-attack}?
| +--ro i2nsf-nsf-detection-web-attack | +--ro i2nsf-nsf-detection-web-attack
| +--ro dst-ip? inet:ip-address | +--ro dst-ip? inet:ip-address
| +--ro dst-port? inet:port-number | +--ro dst-port? inet:port-number
| +--ro rule-name | +--ro rule-name
-> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name -> /nsfi:i2nsf-security-policy/system-policy/rules/rule-name
| +--ro raw-info? string | +--ro raw-info? string
| +--ro src-ip? inet:ip-address | +--ro src-ip? inet:ip-address
| +--ro src-port? inet:port-number | +--ro src-port? inet:port-number
| +--ro src-zone? string | +--ro src-zone? string
| +--ro dst-zone? string | +--ro dst-zone? string
| +--ro attack-type? identityref | +--ro attack-type? identityref
| +--ro request-method? identityref | +--ro request-method? identityref
| +--ro req-uri? string | +--ro req-uri? string
| +--ro uri-category? string | +--ro uri-category? string
| +--ro filtering-type* identityref | +--ro filtering-type* identityref
| +--ro rsp-code? string | +--ro rsp-code? string
| +--ro req-clientapp? string | +--ro req-clientapp? string
| +--ro req-cookies? string | +--ro req-cookies? string
| +--ro req-host? string | +--ro req-host? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro action? log-action | +--ro action? log-action
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-log-vuln-scan) {i2nsf-nsf-log-vuln-scan}? +--:(i2nsf-nsf-log-vuln-scan) {i2nsf-nsf-log-vuln-scan}?
| +--ro i2nsf-nsf-log-vuln-scan | +--ro i2nsf-nsf-log-vuln-scan
| +--ro vulnerability-id? uint8 | +--ro vulnerability-id? uint8
| +--ro victim-ip? inet:ip-address | +--ro victim-ip? inet:ip-address
| +--ro protocol? identityref | +--ro protocol? identityref
| +--ro port-num? inet:port-number | +--ro port-num? inet:port-number
| +--ro level? severity | +--ro level? severity
| +--ro os? string | +--ro os? string
| +--ro vulnerability-info? string | +--ro vulnerability-info? string
| +--ro fix-suggestion? string | +--ro fix-suggestion? string
| +--ro service? string | +--ro service? string
| +--ro acquisition-method? identityref | +--ro acquisition-method? identityref
| +--ro emission-type? identityref | +--ro emission-type? identityref
| +--ro dampening-type? identityref | +--ro dampening-type? identityref
| +--ro message? string | +--ro message? string
| +--ro vendor-name? string | +--ro vendor-name? string
| +--ro nsf-name? string | +--ro nsf-name? string
| +--ro severity? severity | +--ro severity? severity
+--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}?
+--ro i2nsf-nsf-log-dpi +--ro i2nsf-nsf-log-dpi
+--ro attack-type? dpi-type +--ro attack-type? dpi-type
+--ro acquisition-method? identityref +--ro acquisition-method? identityref
+--ro emission-type? identityref +--ro emission-type? identityref
+--ro dampening-type? identityref +--ro dampening-type? identityref
+--ro policy-name +--ro policy-name
-> /nsfi:i2nsf-security-policy/system-policy/system-policy-name -> /nsfi:i2nsf-security-policy/system-policy/system-policy-name
+--ro src-user? string +--ro src-user? string
+--ro message? string +--ro message? string
+--ro vendor-name? string +--ro vendor-name? string
+--ro nsf-name? string +--ro nsf-name? string
+--ro severity? severity +--ro severity? severity
Figure 1: Information Model for NSF Monitoring Figure 1: Information Model for NSF Monitoring
10. YANG Data Model 10. YANG Data Model
This section describes a YANG module of I2NSF NSF Monitoring. This This section describes a YANG module of I2NSF NSF Monitoring. This
YANG module imports from [RFC6991], and makes references to [RFC0768] YANG module imports from [RFC6991], and makes references to
[RFC0791][RFC0792][RFC0793][RFC0956][RFC2616][RFC4443][RFC8200][RFC86 [RFC0768][RFC0791] [RFC0792][RFC0793][RFC0956]
41]. [RFC0959][RFC2616][RFC4443] [RFC8200][RFC8632][RFC8641].
<CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-03-31.yang"
module ietf-i2nsf-nsf-monitoring { <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring@2021-04-29.yang"
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix
nsfmi;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-i2nsf-policy-rule-for-nsf {
prefix nsfi;
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Editor: Jaehoon Paul Jeong module ietf-i2nsf-nsf-monitoring {
<mailto:pauljeong@skku.edu> yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring";
prefix
nsfmi;
import ietf-inet-types{
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-i2nsf-policy-rule-for-nsf {
prefix nsfi;
reference
"Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-12";
}
organization
"IETF I2NSF (Interface to Network Security Functions)
Working Group";
contact
"WG Web: <http://tools.ietf.org/wg/i2nsf>
WG List: <mailto:i2nsf@ietf.org>
Editor: Patrick Lingga Editor: Jaehoon Paul Jeong
<mailto:patricklink@skku.edu>"; <mailto:pauljeong@skku.edu>
description Editor: Patrick Lingga
"This module is a YANG module for I2NSF NSF Monitoring. <mailto:patricklink@skku.edu>";
Copyright (c) 2021 IETF Trust and the persons identified as description
authors of the code. All rights reserved. "This module is a YANG module for I2NSF NSF Monitoring.
Redistribution and use in source and binary forms, with or Copyright (c) 2021 IETF Trust and the persons identified as
without modification, is permitted pursuant to, and subject to authors of the code. All rights reserved.
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX Redistribution and use in source and binary forms, with or
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself without modification, is permitted pursuant to, and subject to
for full legal notices."; the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
revision "2021-03-31" { This version of this YANG module is part of RFC XXXX
description "Initial revision"; (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
reference for full legal notices.";
"RFC XXXX: I2NSF NSF Monitoring YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove revision "2021-04-29" {
// this note. description "Latest revision";
} reference
"RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model";
/* // RFC Ed.: replace XXXX with an actual RFC number and remove
* Typedefs // this note.
*/ }
typedef severity { /*
type enumeration { * Typedefs
enum critical { */
description
"The 'critical' severity level indicates that
an immediate corrective action is required.
A 'critical' severity is reported when a service
becomes totally out of service and must be restored.";
}
enum high {
description
"The 'high' severity level indicates that
an urgent corrective action is required.
A 'high' severity is reported when there is
a severe degradation in the capability of the
service and its full capability must be restored.";
}
enum middle {
description
"The 'middle' severity level indicates the
existence of a non-service-affecting fault
condition and corrective action should be done
to prevent a more serious fault. The 'middle'
severity is reported when the detected problem
is not degrading the capability of the service but
might happen if not prevented.";
}
enum low {
description
"The 'low' severity level indicates the detection
of a potential fault before any effect is felt.
The 'low' severity is reported when an action should
be done before a fault happen.";
}
}
description
"An indicator representing severity level. The severity level
starting from the highest are critical, high, middle, and
low.";
reference
"RFC 8632: A YANG Data Model for Alarm Management -
The severity levels are defined.";
}
typedef log-action { typedef severity {
type enumeration { type enumeration {
enum allow { enum critical {
description description
"If action is allowed"; "The 'critical' severity level indicates that
} an immediate corrective action is required.
enum alert { A 'critical' severity is reported when a service
description becomes totally out of service and must be restored.";
"If action is alert"; }
} enum high {
enum block { description
description "The 'high' severity level indicates that
"If action is block"; an urgent corrective action is required.
} A 'high' severity is reported when there is
enum discard { a severe degradation in the capability of the
description service and its full capability must be restored.";
"If action is discarded"; }
} enum middle {
enum declare { description
description "The 'middle' severity level indicates the
"If action is declared"; existence of a non-service-affecting fault
} condition and corrective action should be done
enum block-ip { to prevent a more serious fault. The 'middle'
description severity is reported when the detected problem
"If action is block-ip"; is not degrading the capability of the service but
} might happen if not prevented.";
enum block-service{ }
description enum low {
"If action is block-service"; description
} "The 'low' severity level indicates the detection
} of a potential fault before any effect is felt.
description
"The type representing action for logging.";
}
typedef dpi-type{ The 'low' severity is reported when an action should
type enumeration { be done before a fault happen.";
enum file-blocking{ }
description }
"DPI for blocking file"; description
} "An indicator representing severity level. The severity level
enum data-filtering{ starting from the highest are critical, high, middle, and
description low.";
"DPI for filtering data"; reference
} "RFC 8632: A YANG Data Model for Alarm Management -
enum application-behavior-control{ The severity levels are defined.";
description }
"DPI for controlling application behavior";
}
}
description
"The type of deep packet inspection.";
}
typedef operation-type{ typedef log-action {
type enumeration { type enumeration {
enum login{ enum allow {
description description
"Login operation"; "If action is allowed";
} }
enum logout{ enum alert {
description description
"Logout operation"; "If action is alert";
} }
enum configuration{ enum block {
description description
"Configuration operation"; "If action is block";
} }
} enum discard {
description description
"The type of operation done by a user "If action is discarded";
during a session."; }
} enum declare {
description
"If action is declared";
}
enum block-ip {
description
"If action is block-ip";
}
enum block-service{
description
"If action is block-service";
}
}
description
"The type representing action for logging.";
}
typedef dpi-type{
type enumeration {
enum file-blocking{
description
"DPI for blocking file";
}
enum data-filtering{
description
"DPI for filtering data";
}
enum application-behavior-control{
description
"DPI for controlling application behavior";
}
}
description
"The type of deep packet inspection.";
}
typedef login-mode{ typedef operation-type{
type enumeration { type enumeration {
enum root{ enum login{
description description
"Root login-mode"; "Login operation";
} }
enum user{ enum logout{
description description
"User login-mode"; "Logout operation";
} }
enum guest{ enum configuration{
description description
"Guest login-mode"; "Configuration operation";
} }
} }
description description
"The authorization login-mode done by a user."; "The type of operation done by a user
} during a session.";
}
/* typedef login-mode{
* Identity type enumeration {
*/ enum root{
description
"Root login-mode";
}
enum user{
description
"User login-mode";
identity characteristics { }
description enum guest{
"Base identity for monitoring information description
characteristics"; "Guest login-mode";
} }
identity acquisition-method { }
base characteristics; description
description "The authorization login-mode done by a user.";
"The type of acquisition-method. It can be multiple }
types at once.";
}
identity subscription {
base acquisition-method;
description
"The acquisition-method type is subscription.";
}
identity query {
base acquisition-method;
description
"The acquisition-method type is query.";
}
identity emission-type {
base characteristics;
description
"The type of emission-type.";
}
identity periodical {
base emission-type;
description
"The emission-type type is periodical.";
}
identity on-change {
base emission-type;
description
"The emission-type type is on-change.";
} /*
identity dampening-type { * Identity
base characteristics; */
description
"The type of dampening-type.";
}
identity no-dampening {
base dampening-type;
description
"The dampening-type is no-dampening.";
}
identity on-repetition {
base dampening-type;
description
"The dampening-type is on-repetition.";
}
identity none {
base dampening-type;
description
"The dampening-type is none.";
}
identity authentication-mode {
description
"User authentication mode types:
e.g., Local Authentication,
Third-Party Server Authentication,
Authentication Exemption, or Single Sign-On (SSO)
Authentication.";
}
identity local-authentication {
base authentication-mode;
description
"Authentication-mode : local authentication.";
}
identity third-party-server-authentication {
base authentication-mode;
description
"If authentication-mode is
third-party-server-authentication";
}
identity exemption-authentication {
base authentication-mode;
description
"If authentication-mode is
exemption-authentication";
}
identity sso-authentication {
base authentication-mode;
description
"If authentication-mode is
sso-authentication";
}
identity alarm-type {
description
"Base identity for detectable alarm types";
}
identity mem-usage-alarm {
base alarm-type;
description
"A memory alarm is alerted.";
}
identity cpu-usage-alarm {
base alarm-type;
description
"A CPU alarm is alerted.";
}
identity disk-usage-alarm {
base alarm-type;
description
"A disk alarm is alerted.";
}
identity hw-failure-alarm {
base alarm-type;
description
"A hardware alarm is alerted.";
}
identity ifnet-state-alarm {
base alarm-type;
description
"An interface alarm is alerted.";
}
identity event-type {
description
"Base identity for detectable event types";
}
identity access-denied {
base event-type;
description
"The system event is access-denied.";
}
identity config-change {
base event-type;
description
"The system event is config-change.";
}
identity attack-type {
description
"The root ID of attack-based notification
in the notification taxonomy";
}
identity system-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of system events.";
}
identity nsf-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of NSF event.";
}
identity botnet-attack-type {
base nsf-attack-type;
description
"This indicates that this attack type is botnet.
The usual semantic and taxonomy is missing
and a name is used.";
}
identity virus-type {
base nsf-attack-type;
description
"The type of virus. It caan be multiple types at once.
This attack type is associated with a detected
system-log virus-attack.";
}
identity trojan {
base virus-type;
description
"The detected virus type is trojan.";
}
identity worm {
base virus-type;
description
"The detected virus type is worm.";
}
identity macro {
base virus-type;
description
"The detected virus type is macro.";
}
identity intrusion-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log intrusion.";
}
identity brute-force {
base intrusion-attack-type;
description
"The intrusion type is brute-force.";
}
identity buffer-overflow {
base intrusion-attack-type;
description
"The intrusion type is buffer-overflow.";
}
identity web-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log web-attack.";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection.";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS.";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF.";
}
identity flood-type {
base nsf-attack-type;
description
"Base identity for detectable flood types";
}
identity syn-flood {
base flood-type;
description
"A SYN flood is detected.";
}
identity ack-flood {
base flood-type;
description
"An ACK flood is detected.";
} identity characteristics {
identity syn-ack-flood { description
base flood-type; "Base identity for monitoring information
description characteristics";
"A SYN-ACK flood is detected."; }
} identity acquisition-method {
identity fin-rst-flood { base characteristics;
base flood-type; description
description "The type of acquisition-method. It can be multiple
"A FIN-RST flood is detected."; types at once.";
} }
identity tcp-con-flood { identity subscription {
base flood-type; base acquisition-method;
description description
"A TCP connection flood is detected."; "The acquisition-method type is subscription.";
} }
identity udp-flood { identity query {
base flood-type; base acquisition-method;
description description
"A UDP flood is detected."; "The acquisition-method type is query.";
} }
identity icmp-flood { identity emission-type {
base flood-type; base characteristics;
description description
"Either an ICMPv4 or ICMPv6 flood is detected."; "The type of emission-type.";
} }
identity icmpv4-flood { identity periodical {
base flood-type; base emission-type;
description description
"An ICMPv4 flood is detected."; "The emission-type type is periodical.";
} }
identity icmpv6-flood { identity on-change {
base flood-type; base emission-type;
description description
"An ICMPv6 flood is detected."; "The emission-type type is on-change.";
} }
identity http-flood { identity dampening-type {
base flood-type; base characteristics;
description description
"An HTTP flood is detected."; "The type of dampening-type.";
} }
identity https-flood { identity no-dampening {
base flood-type; base dampening-type;
description description
"An HTTPS flood is detected."; "The dampening-type is no-dampening.";
} }
identity dns-query-flood { identity on-repetition {
base flood-type; base dampening-type;
description description
"A DNS query flood is detected."; "The dampening-type is on-repetition.";
} }
identity dns-reply-flood { identity none {
base flood-type; base dampening-type;
description description
"A DNS reply flood is detected."; "The dampening-type is none.";
} }
identity sip-flood { identity authentication-mode {
base flood-type; description
description "User authentication mode types:
"An SIP flood is detected."; e.g., Local Authentication,
} Third-Party Server Authentication,
Authentication Exemption, or Single Sign-On (SSO)
Authentication.";
}
identity local-authentication {
base authentication-mode;
description
"Authentication-mode : local authentication.";
}
identity third-party-server-authentication {
base authentication-mode;
description
"If authentication-mode is
third-party-server-authentication";
}
identity exemption-authentication {
base authentication-mode;
description
"If authentication-mode is
exemption-authentication";
}
identity sso-authentication {
base authentication-mode;
description
"If authentication-mode is
sso-authentication";
}
identity alarm-type {
description
"Base identity for detectable alarm types";
}
identity mem-usage-alarm {
base alarm-type;
description
"A memory alarm is alerted.";
}
identity cpu-usage-alarm {
base alarm-type;
description
"A CPU alarm is alerted.";
}
identity disk-usage-alarm {
base alarm-type;
description
"A disk alarm is alerted.";
}
identity hw-failure-alarm {
base alarm-type;
description
"A hardware alarm is alerted.";
}
identity ifnet-state-alarm {
base alarm-type;
description
"An interface alarm is alerted.";
}
identity event-type {
description
"Base identity for detectable event types";
}
identity access-denied {
base event-type;
description
"The system event is access-denied.";
}
identity config-change {
base event-type;
description
"The system event is config-change.";
}
identity attack-type {
description
"The root ID of attack-based notification
in the notification taxonomy";
}
identity system-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of system events.";
}
identity nsf-attack-type {
base attack-type;
description
"This ID is intended to be used
in the context of NSF event.";
}
identity botnet-attack-type {
base nsf-attack-type;
description
"This indicates that this attack type is botnet.
The usual semantic and taxonomy is missing
and a name is used.";
}
identity virus-type {
base nsf-attack-type;
description
"The type of virus. It caan be multiple types at once.
This attack type is associated with a detected
system-log virus-attack.";
}
identity trojan {
base virus-type;
description
"The detected virus type is trojan.";
}
identity worm {
base virus-type;
description
"The detected virus type is worm.";
}
identity macro {
base virus-type;
description
"The detected virus type is macro.";
}
identity intrusion-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log intrusion.";
}
identity brute-force {
base intrusion-attack-type;
description
"The intrusion type is brute-force.";
}
identity buffer-overflow {
base intrusion-attack-type;
description
"The intrusion type is buffer-overflow.";
}
identity web-attack-type {
base nsf-attack-type;
description
"The attack type is associated with a detected
system-log web-attack.";
}
identity command-injection {
base web-attack-type;
description
"The detected web attack type is command injection.";
}
identity xss {
base web-attack-type;
description
"The detected web attack type is XSS.";
}
identity csrf {
base web-attack-type;
description
"The detected web attack type is CSRF.";
}
identity flood-type {
base nsf-attack-type;
description
"Base identity for detectable flood types";
}
identity syn-flood {
base flood-type;
description
"A SYN flood is detected.";
}
identity ack-flood {
base flood-type;
description
"An ACK flood is detected.";
}
identity syn-ack-flood {
base flood-type;
description
"A SYN-ACK flood is detected.";
}
identity fin-rst-flood {
base flood-type;
description
"A FIN-RST flood is detected.";
}
identity tcp-con-flood {
base flood-type;
description
"A TCP connection flood is detected.";
}
identity udp-flood {
base flood-type;
description
"A UDP flood is detected.";
}
identity icmp-flood {
base flood-type;
description
"Either an ICMPv4 or ICMPv6 flood is detected.";
}
identity icmpv4-flood {
base flood-type;
description
"An ICMPv4 flood is detected.";
}
identity icmpv6-flood {
base flood-type;
description
"An ICMPv6 flood is detected.";
}
identity http-flood {
base flood-type;
description
"An HTTP flood is detected.";
}
identity https-flood {
base flood-type;
description
"An HTTPS flood is detected.";
}
identity dns-query-flood {
base flood-type;
description
"A DNS query flood is detected.";
}
identity dns-reply-flood {
base flood-type;
description
"A DNS reply flood is detected.";
}
identity sip-flood {
base flood-type;
description
"An SIP flood is detected.";
}
identity req-method { identity req-method {
description description
"A set of request types (if applicable). "A set of request types (if applicable).
For instance, PUT or GET in HTTP."; For instance, PUT or GET in HTTP.";
} }
identity put-req { identity put-req {
base req-method; base req-method;
description description
"The detected request type is PUT."; "The detected request type is PUT.";
} }
identity get-req { identity get-req {
base req-method; base req-method;
description description
"The detected request type is GET."; "The detected request type is GET.";
} }
identity filter-type { identity filter-type {
description description
"The type of filter used to detect an attack, "The type of filter used to detect an attack,
for example, a web-attack. It can be applicable to for example, a web-attack. It can be applicable to
more than web-attacks. It can be more than one type."; more than web-attacks. It can be more than one type.";
} }
identity whitelist { identity whitelist {
base filter-type; base filter-type;
description description
"The applied filter type is whitelist."; "The applied filter type is whitelist.";
} }
identity blacklist { identity blacklist {
base filter-type; base filter-type;
description description
"The applied filter type is blacklist."; "The applied filter type is blacklist.";
} }
identity user-defined { identity user-defined {
base filter-type;
description
"The applied filter type is user-defined.";
}
identity malicious-category {
base filter-type;
description
"The applied filter is malicious category.";
}
identity unknown-filter {
base filter-type; base filter-type;
description description
"The applied filter is unknown."; "The applied filter type is user-defined.";
} }
identity malicious-category {
identity access-mode { base filter-type;
description description
"Base identity for detectable access mode."; "The applied filter is malicious category.";
} }
identity ppp { identity unknown-filter {
base access-mode; base filter-type;
description description
"Access-mode: ppp"; "The applied filter is unknown.";
} }
identity svn {
base access-mode;
description
"Access-mode: svn";
}
identity local {
base access-mode;
description
"Access-mode: local";
}
identity protocol-type { identity access-mode {
description description
"An identity used to enable type choices in leaves "Base identity for detectable access mode.";
and leaflists with respect to protocol metadata."; }
} identity ppp {
identity tcp { base access-mode;
base ipv4; description
base ipv6; "Access-mode: ppp";
description }
"TCP protocol type."; identity svn {
reference base access-mode;
"RFC 793: Transmission Control Protocol"; description
} "Access-mode: svn";
identity udp { }
base ipv4; identity local {
base ipv6; base access-mode;
description description
"UDP protocol type."; "Access-mode: local";
reference }
"RFC 768: User Datagram Protocol";
}
identity icmp {
base ipv4;
base ipv6;
description
"General ICMP protocol type.";
reference
"RFC 792: Internet Control Message Protocol
RFC 4443: Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6
(IPv6) Specification";
}
identity icmpv4 {
base ipv4;
description
"ICMPv4 protocol type.";
reference
"RFC 791: Internet Protocol
RFC 792: Internet Control Message Protocol";
}
identity icmpv6 {
base ipv6;
description
"ICMPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity ip {
base protocol-type;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
reference
"RFC 791: Internet Protocol";
}
identity ipv6 {
base ip;
description
"IPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity http {
base tcp;
description
"HTPP protocol type.";
reference
"RFC 2616: Hypertext Transfer Protocol";
}
identity ftp {
base tcp;
description
"FTP protocol type.";
reference
"RFC 959: File Transfer Protocol";
}
/* identity protocol-type {
* Grouping description
*/ "An identity used to enable type choices in leaves
and leaflists with respect to protocol metadata.";
}
identity tcp {
base ipv4;
base ipv6;
description
"TCP protocol type.";
reference
"RFC 793: Transmission Control Protocol";
}
identity udp {
base ipv4;
base ipv6;
description
"UDP protocol type.";
reference
"RFC 768: User Datagram Protocol";
}
identity icmp {
base ipv4;
base ipv6;
description
"General ICMP protocol type.";
reference
"RFC 792: Internet Control Message Protocol
RFC 4443: Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6
(IPv6) Specification";
}
identity icmpv4 {
base ipv4;
description
"ICMPv4 protocol type.";
reference
"RFC 791: Internet Protocol
RFC 792: Internet Control Message Protocol";
}
identity icmpv6 {
base ipv6;
description
"ICMPv6 protocol type.";
reference
"RFC 8200: Internet Protocol, Version 6 (IPv6)
RFC 4443: Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification";
}
identity ip {
base protocol-type;
description
"General IP protocol type.";
reference
"RFC 791: Internet Protocol
RFC 8200: Internet Protocol, Version 6 (IPv6)";
}
identity ipv4 {
base ip;
description
"IPv4 protocol type.";
grouping common-monitoring-data { reference
description "RFC 791: Internet Protocol";
"A set of common monitoring data that is needed }
as the basic information."; identity ipv6 {
leaf message { base ip;
type string;
description
"This is a freetext annotation for
monitoring a notification's content.";
}
leaf vendor-name {
type string;
description
"The name of the NSF vendor";
}
leaf nsf-name {
type string;
description
"The name (or IP) of the NSF generating the message.";
}
leaf severity {
type severity;
description
"The severity of the alarm such as critical, high,
middle, low.";
}
}
grouping characteristics {
description
"A set of characteristics of a notification.";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
description
"The acquisition-method for characteristics";
}
leaf emission-type {
type identityref {
base emission-type;
}
description description
"The emission-type for characteristics"; "IPv6 protocol type.";
} reference
leaf dampening-type { "RFC 8200: Internet Protocol, Version 6 (IPv6)";
type identityref { }
base dampening-type; identity http {
} base tcp;
description description
"The dampening-type for characteristics"; "HTPP protocol type.";
} reference
} "RFC 2616: Hypertext Transfer Protocol";
grouping i2nsf-system-alarm-type-content { }
description identity ftp {
"A set of contents for alarm type notification."; base tcp;
leaf usage { description
type uint8 { "FTP protocol type.";
range "0..100"; reference
} "RFC 959: File Transfer Protocol";
units "percent"; }
description
"Specifies the used percentage";
}
leaf threshold {
type uint8 {
range "0..100";
}
units "percent";
description
"The threshold percentage triggering the alarm or
the event";
}
}
grouping i2nsf-system-event-type-content {
description
"System event metadata associated with system events
caused by user activity.";
leaf user {
type string;
mandatory true;
description
"The name of a user";
}
leaf group {
type string;
mandatory true;
description
"The group to which a user belongs.";
}
leaf login-ip-addr {
type inet:ip-address;
mandatory true;
description
"The login IPv4 (or IPv6) address of a user.";
}
leaf authentication {
type identityref {
base authentication-mode;
}
description
"The authentication-mode for authentication";
}
}
grouping i2nsf-nsf-event-type-content {
description
"A set of common IPv4 (or IPv6)-related NSF event
content elements";
leaf dst-ip {
type inet:ip-address;
description
"The destination IPv4 (IPv6) address of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
} /*
leaf rule-name { * Grouping
type leafref { */
path
"/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:rules/nsfi:rule-name";
}
mandatory true;
description
"The name of the rule being triggered";
}
leaf raw-info {
type string;
description
"The information describing the packet
triggering the event.";
}
}
grouping i2nsf-nsf-event-type-content-extend {
description
"A set of extended common IPv4 (or IPv6)-related NSF
event content elements";
uses i2nsf-nsf-event-type-content;
leaf src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf src-zone {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The source security zone of the packet";
}
leaf dst-zone {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The destination security zone of the packet";
}
} grouping common-monitoring-data {
grouping log-action { description
description "A set of common monitoring data that is needed
"A grouping for logging action."; as the basic information.";
leaf action { leaf message {
type log-action; type string;
description description
"Action type: allow, alert, block, discard, declare, "This is a freetext annotation for
block-ip, block-service"; monitoring a notification's content.";
} }
} leaf vendor-name {
grouping attack-rates { type string;
description description
"A set of traffic rates for monitoring attack traffic "The name of the NSF vendor";
data"; }
leaf attack-rate { leaf nsf-name {
type uint32; type string;
units "pps"; description
description "The name (or IP) of the NSF generating the message.";
"The PPS rate of attack traffic";
}
leaf attack-speed {
type uint32;
units "bps";
description
"The BPS speed of attack traffic";
}
}
grouping traffic-rates {
description
"A set of traffic rates for statistics data";
leaf total-traffic {
type yang:counter32;
description
"Total traffic";
}
leaf in-traffic-average-rate {
type uint32;
units "pps";
description
"Inbound traffic average rate in packets per second (pps)";
}
leaf in-traffic-peak-rate {
type uint32;
units "pps";
description
"Inbound traffic peak rate in packets per second (pps)";
}
leaf in-traffic-average-speed {
type uint32;
units "bps";
description
"Inbound traffic average speed in bits per second (bps)";
}
leaf in-traffic-peak-speed {
type uint32;
units "bps";
description
"Inbound traffic peak speed in bits per second (bps)";
}
leaf out-traffic-average-rate {
type uint32;
units "pps";
description
"Outbound traffic average rate in packets per second (pps)";
}
leaf out-traffic-peak-rate {
type uint32;
units "pps";
description
"Outbound traffic peak rate in packets per Second (pps)";
}
leaf out-traffic-average-speed {
type uint32;
units "bps";
description
"Outbound traffic average speed in bits per second (bps)";
}
leaf out-traffic-peak-speed {
type uint32;
units "bps";
description
"Outbound traffic peak speed in bits per second (bps)";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of counters for an interface traffic data.";
leaf interface-name {
type string;
description
"Network interface name configured in an NSF";
}
leaf in-total-traffic-pkts {
type yang:counter32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type yang:counter32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type yang:counter32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type yang:counter32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of contents of a policy in an NSF.";
leaf policy-name {
type leafref {
path
"/nsfi:i2nsf-security-policy/nsfi:system-policy/nsfi:system-policy-name";
}
mandatory true;
description
"The name of the policy being triggered";
}
leaf src-user{
type string;
description
"User who generates the policy";
}
}
grouping enable-notification { }
description leaf severity {
"A grouping for enabling or disabling notification"; type severity;
leaf enabled { description
type boolean; "The severity of the alarm such as critical, high,
default "true"; middle, low.";
}
}
grouping characteristics {
description
"A set of characteristics of a notification.";
leaf acquisition-method {
type identityref {
base acquisition-method;
}
description
"The acquisition-method for characteristics";
}
leaf emission-type {
type identityref {
base emission-type;
}
description description
"Enables or Disables the notification. "The emission-type for characteristics";
If 'true', then the notification is enabled. }
If 'false, then the notification is disabled."; leaf dampening-type {
} type identityref {
} base dampening-type;
}
description
"The dampening-type for characteristics";
}
}
grouping i2nsf-system-alarm-type-content {
description
"A set of contents for alarm type notification.";
leaf usage {
type uint8 {
range "0..100";
}
units "percent";
description
"Specifies the used percentage";
}
leaf threshold {
type uint8 {
range "0..100";
}
units "percent";
description
"The threshold percentage triggering the alarm or
the event";
}
}
grouping i2nsf-system-event-type-content {
description
"System event metadata associated with system events
caused by user activity.";
leaf user {
type string;
mandatory true;
description
"The name of a user";
}
leaf group {
type string;
mandatory true;
description
"The group to which a user belongs.";
}
leaf login-ip-addr {
type inet:ip-address;
mandatory true;
description
"The login IPv4 (or IPv6) address of a user.";
}
leaf authentication {
type identityref {
base authentication-mode;
}
description
"The authentication-mode for authentication";
}
}
grouping i2nsf-nsf-event-type-content {
description
"A set of common IPv4 (or IPv6)-related NSF event
content elements";
leaf dst-ip {
type inet:ip-address;
description
"The destination IPv4 (IPv6) address of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf rule-name {
type leafref {
path
"/nsfi:i2nsf-security-policy/nsfi:system-policy"
+"/nsfi:rules/nsfi:rule-name";
}
mandatory true;
description
"The name of the rule being triggered";
}
leaf raw-info {
type string;
description
"The information describing the packet
triggering the event.";
}
}
grouping i2nsf-nsf-event-type-content-extend {
description
"A set of extended common IPv4 (or IPv6)-related NSF
event content elements";
uses i2nsf-nsf-event-type-content;
leaf src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf src-zone {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The source security zone of the packet";
}
leaf dst-zone {
type string {
length "1..100";
pattern "[0-9a-zA-Z ]*";
}
description
"The destination security zone of the packet";
}
}
grouping log-action {
description
"A grouping for logging action.";
leaf action {
type log-action;
description
"Action type: allow, alert, block, discard, declare,
block-ip, block-service";
}
}
grouping attack-rates {
description
"A set of traffic rates for monitoring attack traffic
data";
leaf attack-rate {
type uint32;
units "pps";
description
"The PPS rate of attack traffic";
}
leaf attack-speed {
type uint32;
units "bps";
description
"The BPS speed of attack traffic";
}
}
grouping traffic-rates {
description
"A set of traffic rates for statistics data";
leaf total-traffic {
type yang:counter32;
description
"Total traffic";
}
leaf in-traffic-average-rate {
type uint32;
units "pps";
description
"Inbound traffic average rate in packets per second (pps)";
}
leaf in-traffic-peak-rate {
type uint32;
units "pps";
description
"Inbound traffic peak rate in packets per second (pps)";
}
leaf in-traffic-average-speed {
type uint32;
units "bps";
description
"Inbound traffic average speed in bits per second (bps)";
}
leaf in-traffic-peak-speed {
type uint32;
units "bps";
description
"Inbound traffic peak speed in bits per second (bps)";
}
leaf out-traffic-average-rate {
type uint32;
units "pps";
description
"Outbound traffic average rate in packets per second (pps)";
}
leaf out-traffic-peak-rate {
type uint32;
units "pps";
description
"Outbound traffic peak rate in packets per Second (pps)";
}
leaf out-traffic-average-speed {
type uint32;
units "bps";
description
"Outbound traffic average speed in bits per second (bps)";
}
leaf out-traffic-peak-speed {
type uint32;
units "bps";
description
"Outbound traffic peak speed in bits per second (bps)";
}
}
grouping i2nsf-system-counter-type-content{
description
"A set of counters for an interface traffic data.";
leaf interface-name {
type string;
description
"Network interface name configured in an NSF";
}
leaf in-total-traffic-pkts {
type yang:counter32;
description
"Total inbound packets";
}
leaf out-total-traffic-pkts {
type yang:counter32;
description
"Total outbound packets";
}
leaf in-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound bytes";
}
leaf out-total-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound bytes";
}
leaf in-drop-traffic-pkts {
type yang:counter32;
description
"Total inbound drop packets";
}
leaf out-drop-traffic-pkts {
type yang:counter32;
description
"Total outbound drop packets";
}
leaf in-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total inbound drop bytes";
}
leaf out-drop-traffic-bytes {
type uint64;
units "bytes";
description
"Total outbound drop bytes";
}
uses traffic-rates;
}
grouping i2nsf-nsf-counters-type-content{
description
"A set of contents of a policy in an NSF.";
grouping dampening { leaf policy-name {
description type leafref {
"A grouping for dampening period of notification."; path
leaf dampening-period { "/nsfi:i2nsf-security-policy/nsfi:system-policy"
type uint32; +"/nsfi:system-policy-name";
units "centiseconds"; }
default "0"; mandatory true;
description description
"Specifies the minimum interval between the assembly of "The name of the policy being triggered";
successive update records for a single receiver of a }
subscription. Whenever subscribed objects change and leaf src-user{
a dampening-period interval (which may be zero) has type string;
elapsed since the previous update record creation for description
a receiver, any subscribed objects and properties "User who generates the policy";
that have changed since the previous update record }
will have their current values marshalled and placed }
in a new update record.";
reference
"RFC 8641: Subscription to YANG Notifications for
Datastore Updates - Section 5.";
}
} grouping enable-notification {
description
"A grouping for enabling or disabling notification";
leaf enabled {
type boolean;
default "true";
description
"Enables or Disables the notification.
If 'true', then the notification is enabled.
If 'false, then the notification is disabled.";
}
}
/* grouping dampening {
* Feature Nodes description
*/ "A grouping for dampening period of notification.";
leaf dampening-period {
type uint32;
units "centiseconds";
default "0";
description
"Specifies the minimum interval between the assembly of
successive update records for a single receiver of a
subscription. Whenever subscribed objects change and
a dampening-period interval (which may be zero) has
elapsed since the previous update record creation for
a receiver, any subscribed objects and properties
that have changed since the previous update record
will have their current values marshalled and placed
in a new update record. But if the subscribed objects change
when the dampening-period is active, it should update the
record without sending the notification until the dampening-
period is finished. If multiple changes happen during the
active dampening-period, it should update the record with the
latest data. And at the end of the dampening-period, it should
send the record as a notification with the latest updated
record and restart the countdown.";
reference
"RFC 8641: Subscription to YANG Notifications for
Datastore Updates - Section 5.";
}
}
feature i2nsf-nsf-detection-ddos { /*
description * Feature Nodes
"This feature means it supports I2NSF nsf-detection-ddos */
notification";
}
feature i2nsf-nsf-detection-virus {
description
"This feature means it supports I2NSF nsf-detection-virus
notification";
}
feature i2nsf-nsf-detection-intrusion {
description
"This feature means it supports I2NSF nsf-detection-intrusion
notification";
}
feature i2nsf-nsf-detection-botnet {
description
"This feature means it supports I2NSF nsf-detection-botnet
notification";
}
feature i2nsf-nsf-detection-web-attack {
description
"This feature means it supports I2NSF nsf-detection-web-attack
notification";
}
feature i2nsf-nsf-log-dpi {
description
"This feature means it supports I2NSF nsf-log-dpi
notification";
}
feature i2nsf-nsf-log-vuln-scan {
description
"This feature means it supports I2NSF nsf-log-vuln-scan
notification";
}
/* feature i2nsf-nsf-detection-ddos {
* Notification nodes description
*/ "This feature means it supports I2NSF nsf-detection-ddos
notification";
}
feature i2nsf-nsf-detection-virus {
description
"This feature means it supports I2NSF nsf-detection-virus
notification";
}
feature i2nsf-nsf-detection-intrusion {
description
"This feature means it supports I2NSF nsf-detection-intrusion
notification";
}
feature i2nsf-nsf-detection-botnet {
description
"This feature means it supports I2NSF nsf-detection-botnet
notification";
}
feature i2nsf-nsf-detection-web-attack {
description
"This feature means it supports I2NSF nsf-detection-web-attack
notification";
}
feature i2nsf-nsf-log-dpi {
description
"This feature means it supports I2NSF nsf-log-dpi
notification";
}
feature i2nsf-nsf-log-vuln-scan {
description
"This feature means it supports I2NSF nsf-log-vuln-scan
notification";
}
notification i2nsf-event { /*
description * Notification nodes
"Notification for I2NSF Event."; */
choice sub-event-type {
description
"This choice must be augmented with cases for each allowed
sub-event. Only 1 sub-event will be instantiated in each
i2nsf-event message. Each case is expected to define one
container with all the sub-event fields.";
case i2nsf-system-detection-alarm {
container i2nsf-system-detection-alarm{
description
"This notification is sent, when a system alarm
is detected.";
leaf alarm-category {
type identityref {
base alarm-type;
}
description
"The alarm category for
system-detection-alarm notification";
}
leaf component-name {
type string;
description
"The hardware component responsible for generating
the message. Applicable for Hardware Failure
Alarm.";
}
leaf interface-name {
type string;
description
"The interface name responsible for generating
the message. Applicable for Network Interface
Failure Alarm.";
}
leaf interface-state {
type enumeration {
enum down {
description
"The interface state is down.";
}
enum up {
description
"The interface state is up.";
}
enum congested {
description
"The interface state is congested.";
}
}
description
"The state of the interface (i.e., up, down, congested).
Applicable for Network Interface Failure Alarm.";
}
uses characteristics;
uses i2nsf-system-alarm-type-content;
uses common-monitoring-data;
}
}
case i2nsf-system-detection-event { notification i2nsf-event {
container i2nsf-system-detection-event { description
description "Notification for I2NSF Event.";
"This notification is sent when a security-sensitive choice sub-event-type {
authentication action fails."; description
leaf event-category { "This choice must be augmented with cases for each allowed
type identityref { sub-event. Only 1 sub-event will be instantiated in each
base event-type; i2nsf-event message. Each case is expected to define one
} container with all the sub-event fields.";
description case i2nsf-system-detection-alarm {
"The event category for system-detection-event"; container i2nsf-system-detection-alarm{
} description
uses characteristics; "This notification is sent, when a system alarm
uses i2nsf-system-event-type-content; is detected.";
uses common-monitoring-data; leaf alarm-category {
} type identityref {
} base alarm-type;
}
description
"The alarm category for
system-detection-alarm notification";
}
leaf component-name {
type string;
description
"The hardware component responsible for generating
the message. Applicable for Hardware Failure
Alarm.";
}
leaf interface-name {
type string;
description
"The interface name responsible for generating
the message. Applicable for Network Interface
Failure Alarm.";
}
leaf interface-state {
type enumeration {
enum down {
description
"The interface state is down.";
}
enum up {
description
"The interface state is up.";
}
enum congested {
description
"The interface state is congested.";
}
}
description
"The state of the interface (i.e., up, down, congested).
Applicable for Network Interface Failure Alarm.";
}
uses characteristics;
uses i2nsf-system-alarm-type-content;
uses common-monitoring-data;
}
}
case i2nsf-traffic-flows { case i2nsf-system-detection-event {
container i2nsf-traffic-flows { container i2nsf-system-detection-event {
description description
"This notification is sent to inform about the traffic "This notification is sent when a security-sensitive
flows."; authentication action fails.";
leaf src-ip { leaf event-category {
type inet:ip-address;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf dst-ip {
type inet:ip-address;
description
"The destination IPv4 (or IPv6) address of the packet";
}
leaf protocol {
type identityref { type identityref {
base protocol-type; base event-type;
} }
description description
"The protocol type for nsf-detection-intrusion "The event category for system-detection-event";
notification"; }
} uses characteristics;
leaf src-port { uses i2nsf-system-event-type-content;
type inet:port-number; uses common-monitoring-data;
description }
"The source port of the packet"; }
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf arrival-rate {
type uint32;
units "pps";
description
"The arrival rate of the packet in packets
per second";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-session-table {
container i2nsf-nsf-detection-session-table {
description
"This notification is sent, when a session table
event is detected.";
leaf current-session {
type uint32;
description
"The number of concurrent sessions";
}
leaf maximum-session {
type uint32;
description
"The maximum number of sessions that the session
table can support";
}
leaf threshold {
type uint32;
description
"The threshold triggering the event";
} case i2nsf-traffic-flows {
uses common-monitoring-data; container i2nsf-traffic-flows {
} description
} "This notification is sent to inform about the traffic
} flows.";
} leaf src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) address of the packet";
}
leaf dst-ip {
type inet:ip-address;
description
"The destination IPv4 (or IPv6) address of the packet";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-detection-intrusion
notification";
}
leaf src-port {
type inet:port-number;
description
"The source port of the packet";
}
leaf dst-port {
type inet:port-number;
description
"The destination port of the packet";
}
leaf arrival-rate {
type uint32;
units "pps";
description
"The arrival rate of the packet in packets
per second";
}
uses characteristics;
uses common-monitoring-data;
}
}
notification i2nsf-log { case i2nsf-nsf-detection-session-table {
description container i2nsf-nsf-detection-session-table {
"Notification for I2NSF log. The notification is generated description
from the logs of the NSF."; "This notification is sent, when a session table
choice sub-logs-type { event is detected.";
description leaf current-session {
"This choice must be augmented with cases for each allowed type uint32;
sub-logs. Only 1 sub-event will be instantiated in each description
i2nsf-logs message. Each case is expected to define one "The number of concurrent sessions";
container with all the sub-logs fields."; }
case i2nsf-nsf-system-access-log { leaf maximum-session {
container i2nsf-nsf-system-access-log { type uint32;
description description
"The notification is sent, if there is a new system "The maximum number of sessions that the session
log entry about a system access event."; table can support";
leaf login-ip { }
type inet:ip-address; leaf threshold {
mandatory true; type uint32;
description description
"Login IP address of a user"; "The threshold triggering the event";
} }
leaf administrator { uses common-monitoring-data;
type string; }
description }
"Administrator that maintains the device"; }
} }
leaf login-mode {
type login-mode;
description
"Specifies the administrator log-in mode";
}
leaf operation-type {
type operation-type;
description
"The operation type that the administrator executes";
}
leaf result {
type string;
description
"Command execution result";
}
leaf content {
type string;
description
"The Operation performed by an administrator after
login";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-system-res-util-log { notification i2nsf-log {
container i2nsf-system-res-util-log { description
description "Notification for I2NSF log. The notification is generated
"This notification is sent, if there is a new log from the logs of the NSF.";
entry representing resource utilization updates."; choice sub-logs-type {
leaf system-status { description
"This choice must be augmented with cases for each allowed
sub-logs. Only 1 sub-event will be instantiated in each
i2nsf-logs message. Each case is expected to define one
container with all the sub-logs fields.";
case i2nsf-nsf-system-access-log {
container i2nsf-nsf-system-access-log {
description
"The notification is sent, if there is a new system
log entry about a system access event.";
leaf login-ip {
type inet:ip-address;
mandatory true;
description
"Login IP address of a user";
}
leaf administrator {
type string; type string;
description description
"The current systems running status"; "Administrator that maintains the device";
} }
leaf cpu-usage { leaf login-mode {
type uint8; type login-mode;
description description
"Specifies the relative size of CPU usage with "Specifies the administrator log-in mode";
respect to platform resources"; }
} leaf operation-type {
leaf memory-usage { type operation-type;
type uint8; description
description "The operation type that the administrator executes";
"Specifies the size of memory usage."; }
} leaf result {
leaf disk-usage { type string;
type uint8; description
description "Command execution result";
"Specifies the size of disk usage"; }
} leaf content {
leaf disk-left { type string;
type uint8; description
description "The Operation performed by an administrator after
"Specifies the size of disk left"; login";
} }
leaf session-num { uses characteristics;
type uint8; uses common-monitoring-data;
description }
"The total number of sessions"; }
}
leaf process-num {
type uint8;
description
"The total number of process";
}
leaf in-traffic-rate {
type uint32;
units "pps";
description
"The total inbound traffic rate in pps";
}
leaf out-traffic-rate {
type uint32;
units "pps";
description
"The total outbound traffic rate in pps";
}
leaf in-traffic-speed {
type uint32;
units "bps";
description
"The total inbound traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
units "bps";
description
"The total outbound traffic speed in bps";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-system-user-activity-log { case i2nsf-system-res-util-log {
container i2nsf-system-user-activity-log { container i2nsf-system-res-util-log {
description description
"This notification is sent, if there is a new user "This notification is sent, if there is a new log
activity log entry."; entry representing resource utilization updates.";
uses characteristics; leaf system-status {
uses i2nsf-system-event-type-content; type string;
uses common-monitoring-data; description
leaf access { "The current systems running status";
type identityref { }
base access-mode; leaf cpu-usage {
} type uint8;
description description
"The access type for system-user-activity-log "Specifies the relative size of CPU usage with
notification"; respect to platform resources";
}
leaf memory-usage {
type uint8;
description
"Specifies the size of memory usage.";
}
leaf disk-usage {
type uint8;
description
"Specifies the size of disk usage";
}
leaf disk-left {
type uint8;
description
"Specifies the size of disk left";
}
leaf session-num {
type uint8;
description
"The total number of sessions";
}
leaf process-num {
type uint8;
description
"The total number of process";
}
leaf in-traffic-rate {
type uint32;
units "pps";
description
"The total inbound traffic rate in pps";
}
leaf out-traffic-rate {
type uint32;
units "pps";
description
"The total outbound traffic rate in pps";
}
leaf in-traffic-speed {
type uint32;
units "bps";
description
"The total inbound traffic speed in bps";
}
leaf out-traffic-speed {
type uint32;
units "bps";
description
"The total outbound traffic speed in bps";
}
uses characteristics;
uses common-monitoring-data;
}
}
} case i2nsf-system-user-activity-log {
leaf online-duration { container i2nsf-system-user-activity-log {
type string; description
description "This notification is sent, if there is a new user
"Online duration"; activity log entry.";
}
leaf logout-duration {
type string;
description
"Lockout duration";
}
leaf additional-info {
type string;
description
"User activities, e.g., Successful User Login,
Failed Login attempts, User Logout, Successful User
Password Change, Failed User Password Change, User
Lockout, User Unlocking, and Unknown.";
}
}
}
}
}
notification i2nsf-nsf-event { uses characteristics;
description uses i2nsf-system-event-type-content;
"Notification for I2NSF NSF Event. This notification is uses common-monitoring-data;
used for a specific NSF that supported such feature."; leaf access {
choice sub-event-type { type identityref {
description base access-mode;
"This choice must be augmented with cases for each allowed }
sub-event. Only 1 sub-event will be instantiated in each description
i2nsf-event message. Each case is expected to define one "The access type for system-user-activity-log
container with all the sub-event fields."; notification";
case i2nsf-nsf-detection-ddos { }
if-feature "i2nsf-nsf-detection-ddos"; leaf online-duration {
container i2nsf-nsf-detection-ddos { type string;
description description
"This notification is sent, when a specific flood type "Online duration";
is detected."; }
uses i2nsf-nsf-event-type-content; leaf logout-duration {
leaf attack-type { type string;
type identityref { description
base flood-type; "Lockout duration";
} }
description leaf additional-info {
"Any one of Syn flood, ACK flood, SYN-ACK flood, type string;
FIN/RST flood, TCP Connection flood, UDP flood, description
ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood, "User activities, e.g., Successful User Login,
HTTPS flood, DNS query flood, DNS reply flood, SIP Failed Login attempts, User Logout, Successful User
flood, etc."; Password Change, Failed User Password Change, User
} Lockout, User Unlocking, and Unknown.";
leaf start-time { }
type yang:date-and-time; }
mandatory true; }
description }
"The time stamp indicating when the attack started"; }
}
leaf end-time {
type yang:date-and-time;
mandatory true;
description
"The time stamp indicating when the attack ended";
}
leaf attack-src-ip {
type inet:ip-address;
description
"The source IPv4 (or IPv6) addresses of attack
traffic. If there are a large number of IPv4
(or IPv6) addresses, then pick a certain number
of resources according to different rules.";
}
leaf attack-dst-ip {
type inet:ip-address;
description
"The destination IPv4 (or IPv6) addresses of attack
traffic. If there are a large number of IPv4
(or IPv6) addresses, then pick a certain number
of resources according to different rules.";
}
uses attack-rates;
uses log-action;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-virus {
if-feature "i2nsf-nsf-detection-virus";
container i2nsf-nsf-detection-virus {
description
"This notification is sent, when a virus is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf virus {
type identityref {
base virus-type;
}
notification i2nsf-nsf-event {
description
"Notification for I2NSF NSF Event. This notification is
used for a specific NSF that supported such feature.";
choice sub-event-type {
description
"This choice must be augmented with cases for each allowed
sub-event. Only 1 sub-event will be instantiated in each
i2nsf-event message. Each case is expected to define one
container with all the sub-event fields.";
case i2nsf-nsf-detection-ddos {
if-feature "i2nsf-nsf-detection-ddos";
container i2nsf-nsf-detection-ddos {
description description
"The virus type for nsf-detection-virus notification"; "This notification is sent, when a specific flood type
} is detected.";
leaf virus-name { uses i2nsf-nsf-event-type-content;
type string; leaf attack-type {
description type identityref {
"The name of the detected virus"; base flood-type;
} }
leaf file-type { description
type string; "Any one of Syn flood, ACK flood, SYN-ACK flood,
description FIN/RST flood, TCP Connection flood, UDP flood,
"The type of file virus code is found in (if ICMP (i.e., ICMPv4 or ICMPv6) flood, HTTP flood,
applicable)."; HTTPS flood, DNS query flood, DNS reply flood, SIP
} flood, etc.";
leaf file-name { }
type string; leaf start-time {
description type yang:date-and-time;
"The name of file virus code is found in (if mandatory true;
applicable)."; description
} "The time stamp indicating when the attack started";
leaf os { }
type string; leaf end-time {
description type yang:date-and-time;
"Simple OS information"; mandatory true;
} description
uses log-action; "The time stamp indicating when the attack ended";
uses characteristics; }
uses common-monitoring-data; leaf attack-src-ip {
} type inet:ip-address;
} description
case i2nsf-nsf-detection-intrusion { "The source IPv4 (or IPv6) addresses of attack
if-feature "i2nsf-nsf-detection-intrusion"; traffic. If there are a large number of IPv4
container i2nsf-nsf-detection-intrusion { (or IPv6) addresses, then pick a certain number
description of resources according to different rules.";
"This notification is sent, when an intrusion event }
is detected."; leaf attack-dst-ip {
uses i2nsf-nsf-event-type-content-extend; type inet:ip-address;
leaf protocol { description
type identityref { "The destination IPv4 (or IPv6) addresses of attack
base protocol-type; traffic. If there are a large number of IPv4
} (or IPv6) addresses, then pick a certain number
description of resources according to different rules.";
"The protocol type for nsf-detection-intrusion }
notification"; uses attack-rates;
} uses log-action;
leaf app { uses characteristics;
type string; uses common-monitoring-data;
description }
"The employed application layer protocol"; }
} case i2nsf-nsf-detection-virus {
leaf attack-type { if-feature "i2nsf-nsf-detection-virus";
type identityref { container i2nsf-nsf-detection-virus {
base intrusion-attack-type;
}
description
"The sub attack type for intrusion attack";
}
uses log-action;
uses attack-rates;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-botnet {
if-feature "i2nsf-nsf-detection-botnet";
container i2nsf-nsf-detection-botnet {
description
"This notification is sent, when a botnet event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description description
"The attack type for botnet attack"; "This notification is sent, when a virus is detected.";
} uses i2nsf-nsf-event-type-content-extend;
leaf protocol { leaf virus {
type identityref { type identityref {
base protocol-type; base virus-type;
} }
description
"The protocol type for nsf-detection-botnet notification";
}
leaf botnet-name {
type string;
description
"The name of the detected botnet";
}
leaf role {
type string;
description
"The role of the communicating
parties within the botnet";
}
uses log-action;
leaf botnet-pkt-num{
type uint8;
description
"The number of the packets sent to or from the detected botnet";
}
leaf os{
type string;
description
"Simple OS information";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-web-attack {
if-feature "i2nsf-nsf-detection-web-attack";
container i2nsf-nsf-detection-web-attack {
description
"This notification is sent, when an attack event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base web-attack-type;
}
description
"Concrete web attack type, e.g., SQL injection,
command injection, XSS, and CSRF.";
}
leaf request-method {
type identityref {
base req-method;
}
description
"The method of requirement. For instance, PUT or
GET in HTTP.";
}
leaf req-uri {
type string;
description
"Requested URI";
}
leaf uri-category {
type string;
description
"Matched URI category";
}
leaf-list filtering-type {
type identityref {
base filter-type;
}
description
"URL filtering type, e.g., Blacklist, Whitelist,
User-Defined, Predefined, Malicious Category,
and Unknown";
}
leaf rsp-code {
type string;
description
"Response code";
}
leaf req-clientapp {
type string;
description
"The client application";
}
leaf req-cookies {
type string;
description
"Cookies";
}
leaf req-host {
type string;
description
"The domain name of the requested host";
}
uses characteristics;
uses log-action;
uses common-monitoring-data;
}
}
case i2nsf-nsf-log-vuln-scan {
if-feature "i2nsf-nsf-log-vuln-scan";
container i2nsf-nsf-log-vuln-scan {
description
"This notification is sent, if there is a new
vulnerability-scan report in the NSF log.";
leaf vulnerability-id {
type uint8;
description
"The vulnerability ID";
}
leaf victim-ip {
type inet:ip-address;
description
"IPv4 (or IPv6) address of the victim host which
has vulnerabilities";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-log-vuln-scan
notification";
}
leaf port-num {
type inet:port-number;
description
"The port number";
}
leaf level {
type severity;
description
"The vulnerability severity";
}
leaf os {
type string;
description
"simple OS information";
}
leaf vulnerability-info {
type string;
description
"The information about the vulnerability";
}
leaf fix-suggestion {
type string;
description
"The fix suggestion to the vulnerability";
}
leaf service {
type string;
description description
"The service which has vulnerability in the victim "The virus type for nsf-detection-virus notification";
host"; }
} leaf virus-name {
uses characteristics; type string;
uses common-monitoring-data; description
} "The name of the detected virus";
} }
case i2nsf-nsf-log-dpi { leaf file-type {
if-feature "i2nsf-nsf-log-dpi"; type string;
container i2nsf-nsf-log-dpi { description
description "The type of file virus code is found in (if
"This notification is sent, if there is a new DPI applicable).";
event in the NSF log."; }
leaf attack-type { leaf file-name {
type dpi-type; type string;
description
"The name of file virus code is found in (if
applicable).";
}
leaf os {
type string;
description
"Simple OS information";
}
uses log-action;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-intrusion {
if-feature "i2nsf-nsf-detection-intrusion";
container i2nsf-nsf-detection-intrusion {
description
"This notification is sent, when an intrusion event
is detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-detection-intrusion
notification";
}
leaf app {
type string;
description
"The employed application layer protocol";
}
leaf attack-type {
type identityref {
base intrusion-attack-type;
}
description
"The sub attack type for intrusion attack";
}
uses log-action;
uses attack-rates;
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-detection-botnet {
if-feature "i2nsf-nsf-detection-botnet";
container i2nsf-nsf-detection-botnet {
description
"This notification is sent, when a botnet event is
detected.";
uses i2nsf-nsf-event-type-content-extend;
leaf attack-type {
type identityref {
base botnet-attack-type;
}
description description
"The type of the DPI"; "The attack type for botnet attack";
} }
uses characteristics; leaf protocol {
uses i2nsf-nsf-counters-type-content; type identityref {
uses common-monitoring-data; base protocol-type;
} }
} description
} "The protocol type for nsf-detection-botnet
} notification";
/* }
* Data nodes leaf botnet-name {
*/ type string;
container i2nsf-counters { description
config false; "The name of the detected botnet";
description }
"This is probably better covered by an import as this leaf role {
will not be notifications. Counters are not very type string;
suitable as telemetry, maybe via periodic description
subscriptions, which would still violate the principle "The role of the communicating
of least surprise."; parties within the botnet";
list system-interface { }
key interface-name; uses log-action;
description leaf botnet-pkt-num{
"Interface counters provide the visibility of traffic into and type uint8;
out of an NSF, and bandwidth usage."; description
uses characteristics; "The number of the packets sent to or from the detected
uses i2nsf-system-counter-type-content; botnet";
uses common-monitoring-data; }
} leaf os{
list nsf-firewall { type string;
key policy-name; description
description "Simple OS information";
"Firewall counters provide the visibility of traffic signatures, }
bandwidth usage, and how the configured security and bandwidth uses characteristics;
policies have been applied."; uses common-monitoring-data;
uses characteristics; }
uses i2nsf-nsf-counters-type-content; }
uses traffic-rates; case i2nsf-nsf-detection-web-attack {
uses common-monitoring-data; if-feature "i2nsf-nsf-detection-web-attack";
} container i2nsf-nsf-detection-web-attack {
list nsf-policy-hits { description
key policy-name; "This notification is sent, when an attack event is
description detected.";
"Policy Hit Counters record the number of hits that traffic uses i2nsf-nsf-event-type-content-extend;
packets match a security policy. It can check if policy leaf attack-type {
configurations are correct or not."; type identityref {
uses characteristics; base web-attack-type;
uses i2nsf-nsf-counters-type-content; }
uses common-monitoring-data; description
leaf hit-times { "Concrete web attack type, e.g., SQL injection,
type yang:counter32; command injection, XSS, and CSRF.";
description }
"The number of times a policy is hit"; leaf request-method {
} type identityref {
} base req-method;
} }
description
container i2nsf-monitoring-configuration { "The method of requirement. For instance, PUT or
description GET in HTTP.";
"The container for configuring I2NSF monitoring.";
container i2nsf-system-detection-alarm {
description
"The container for configuring I2NSF system-detection-alarm
notification";
uses enable-notification;
list system-alarm {
key alarm-type;
description
"Configuration for system alarm (i.e., CPU, Memory,
and Disk Usage)";
leaf alarm-type {
type enumeration {
enum CPU {
description
"To configure the CPU usage threshold to trigger the
CPU-USAGE-ALARM";
}
enum Memory {
description
"To configure the Memory usage threshold to trigger the
MEM-USAGE-ALARM";
}
enum Disk {
description
"To configure the Disk (storage) usage threshold to
trigger the DISK-USAGE-ALARM";
}
}
description
"Type of alarm to be configured";
} }
leaf threshold { leaf req-uri {
type uint8 { type string;
range "1..100"; description
} "Requested URI";
units "percent"; }
description leaf uri-category {
"The configuration for threshold percentage to trigger type string;
the alarm. The alarm will be triggered if the usage description
is exceeded the threshold."; "Matched URI category";
} }
uses dampening; leaf-list filtering-type {
} type identityref {
} base filter-type;
container i2nsf-system-detection-event { }
description description
"The container for configuring I2NSF system-detection-event "URL filtering type, e.g., Blacklist, Whitelist,
notification"; User-Defined, Predefined, Malicious Category,
uses enable-notification; and Unknown";
uses dampening; }
} leaf rsp-code {
container i2nsf-traffic-flows { type string;
description description
"The container for configuring I2NSF traffic-flows "Response code";
notification"; }
uses dampening; leaf req-clientapp {
uses enable-notification; type string;
} description
container i2nsf-nsf-detection-ddos { "The client application";
if-feature "i2nsf-nsf-detection-ddos"; }
description leaf req-cookies {
"The container for configuring I2NSF nsf-detection-ddos type string;
notification"; description
uses enable-notification; "Cookies";
uses dampening; }
} leaf req-host {
container i2nsf-nsf-detection-session-table-configuration { type string;
description description
"The container for configuring I2NSF nsf-detection-session-table "The domain name of the requested host";
notification"; }
uses enable-notification; uses characteristics;
uses dampening; uses log-action;
} uses common-monitoring-data;
container i2nsf-nsf-detection-virus { }
if-feature "i2nsf-nsf-detection-virus"; }
description case i2nsf-nsf-log-vuln-scan {
"The container for configuring I2NSF nsf-detection-virus if-feature "i2nsf-nsf-log-vuln-scan";
notification"; container i2nsf-nsf-log-vuln-scan {
description
"This notification is sent, if there is a new
vulnerability-scan report in the NSF log.";
leaf vulnerability-id {
type uint8;
description
"The vulnerability ID";
}
leaf victim-ip {
type inet:ip-address;
description
"IPv4 (or IPv6) address of the victim host which
has vulnerabilities";
}
leaf protocol {
type identityref {
base protocol-type;
}
description
"The protocol type for nsf-log-vuln-scan
notification";
}
leaf port-num {
type inet:port-number;
description
"The port number";
}
leaf level {
type severity;
description
"The vulnerability severity";
}
leaf os {
type string;
description
"simple OS information";
}
leaf vulnerability-info {
type string;
description
"The information about the vulnerability";
}
leaf fix-suggestion {
type string;
description
"The fix suggestion to the vulnerability";
}
leaf service {
type string;
description
"The service which has vulnerability in the victim
host";
}
uses characteristics;
uses common-monitoring-data;
}
}
case i2nsf-nsf-log-dpi {
if-feature "i2nsf-nsf-log-dpi";
container i2nsf-nsf-log-dpi {
description
"This notification is sent, if there is a new DPI
event in the NSF log.";
leaf attack-type {
type dpi-type;
description
"The type of the DPI";
}
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
}
}
}
}
/*
* Data nodes
*/
container i2nsf-counters {
config false;
description
"This is probably better covered by an import as this
will not be notifications. Counters are not very
suitable as telemetry, maybe via periodic
subscriptions, which would still violate the principle
of least surprise.";
list system-interface {
key interface-name;
description
"Interface counters provide the visibility of traffic into and
out of an NSF, and bandwidth usage.";
uses characteristics;
uses i2nsf-system-counter-type-content;
uses common-monitoring-data;
}
list nsf-firewall {
key policy-name;
description
"Firewall counters provide the visibility of traffic
signatures, bandwidth usage, and how the configured security
and bandwidth policies have been applied.";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses traffic-rates;
uses common-monitoring-data;
}
list nsf-policy-hits {
key policy-name;
description
"Policy Hit Counters record the number of hits that traffic
packets match a security policy. It can check if policy
configurations are correct or not.";
uses characteristics;
uses i2nsf-nsf-counters-type-content;
uses common-monitoring-data;
leaf hit-times {
type yang:counter32;
description
"The number of times a policy is hit";
}
}
}
uses enable-notification; container i2nsf-monitoring-configuration {
uses dampening; description
} "The container for configuring I2NSF monitoring.";
container i2nsf-nsf-detection-intrusion { container i2nsf-system-detection-alarm {
if-feature "i2nsf-nsf-detection-intrusion"; description
description "The container for configuring I2NSF system-detection-alarm
"The container for configuring I2NSF nsf-detection-intrusion notification";
notification"; uses enable-notification;
uses enable-notification; list system-alarm {
uses dampening; key alarm-type;
} description
container i2nsf-nsf-detection-botnet { "Configuration for system alarm (i.e., CPU, Memory,
if-feature "i2nsf-nsf-detection-botnet"; and Disk Usage)";
description leaf alarm-type {
"The container for configuring I2NSF nsf-detection-botnet type enumeration {
notification"; enum CPU {
uses enable-notification; description
uses dampening; "To configure the CPU usage threshold to trigger the
} CPU-USAGE-ALARM";
container i2nsf-nsf-detection-web-attack { }
if-feature "i2nsf-nsf-detection-web-attack"; enum Memory {
description description
"The container for configuring I2NSF nsf-detection-web-attack "To configure the Memory usage threshold to trigger the
notification"; MEM-USAGE-ALARM";
uses enable-notification; }
uses dampening; enum Disk {
} description
container i2nsf-nsf-system-access-log { "To configure the Disk (storage) usage threshold to
description trigger the DISK-USAGE-ALARM";
"The container for configuring I2NSF system-access-log }
notification"; }
uses enable-notification; description
uses dampening; "Type of alarm to be configured";
} }
container i2nsf-system-res-util-log { leaf threshold {
description type uint8 {
"The container for configuring I2NSF system-res-util-log range "1..100";
notification"; }
uses enable-notification; units "percent";
uses dampening; description
} "The configuration for threshold percentage to trigger
container i2nsf-system-user-activity-log { the alarm. The alarm will be triggered if the usage
description is exceeded the threshold.";
"The container for configuring I2NSF system-user-activity-log }
notification"; uses dampening;
uses enable-notification; }
uses dampening; }
} container i2nsf-system-detection-event {
container i2nsf-nsf-log-dpi { description
if-feature "i2nsf-nsf-log-dpi"; "The container for configuring I2NSF system-detection-event
description notification";
"The container for configuring I2NSF nsf-log-dpi uses enable-notification;
notification"; uses dampening;
uses enable-notification; }
uses dampening; container i2nsf-traffic-flows {
} description
container i2nsf-nsf-log-vuln-scan { "The container for configuring I2NSF traffic-flows
if-feature "i2nsf-nsf-log-vuln-scan"; notification";
description uses dampening;
"The container for configuring I2NSF nsf-log-vuln-scan uses enable-notification;
notification"; }
uses enable-notification; container i2nsf-nsf-detection-ddos {
uses dampening; if-feature "i2nsf-nsf-detection-ddos";
} description
container i2nsf-counter { "The container for configuring I2NSF nsf-detection-ddos
description notification";
"This is used to configure the counters uses enable-notification;
for monitoring an NSF"; uses dampening;
leaf period { }
type uint16; container i2nsf-nsf-detection-session-table-configuration {
units "minutes"; description
default 0; "The container for configuring I2NSF nsf-detection-session-
description table notification";
"The configuration for the period interval of reporting uses enable-notification;
the counter. If 0, then the counter period is disabled. uses dampening;
If value is not 0, then the counter will be reported }
following the period value."; container i2nsf-nsf-detection-virus {
} if-feature "i2nsf-nsf-detection-virus";
} description
} "The container for configuring I2NSF nsf-detection-virus
} notification";
<CODE ENDS> uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-intrusion {
if-feature "i2nsf-nsf-detection-intrusion";
description
"The container for configuring I2NSF nsf-detection-intrusion
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-botnet {
if-feature "i2nsf-nsf-detection-botnet";
description
"The container for configuring I2NSF nsf-detection-botnet
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-detection-web-attack {
if-feature "i2nsf-nsf-detection-web-attack";
description
"The container for configuring I2NSF nsf-detection-web-attack
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-system-access-log {
description
"The container for configuring I2NSF system-access-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-system-res-util-log {
description
"The container for configuring I2NSF system-res-util-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-system-user-activity-log {
description
"The container for configuring I2NSF system-user-activity-log
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-log-dpi {
if-feature "i2nsf-nsf-log-dpi";
description
"The container for configuring I2NSF nsf-log-dpi
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-nsf-log-vuln-scan {
if-feature "i2nsf-nsf-log-vuln-scan";
description
"The container for configuring I2NSF nsf-log-vuln-scan
notification";
uses enable-notification;
uses dampening;
}
container i2nsf-counter {
description
"This is used to configure the counters
for monitoring an NSF";
leaf period {
type uint16;
units "minutes";
default 0;
description
"The configuration for the period interval of reporting
the counter. If 0, then the counter period is disabled.
If value is not 0, then the counter will be reported
following the period value.";
}
}
}
}
<CODE ENDS>
Figure 2: Data Model of Monitoring Figure 2: Data Model of Monitoring
11. I2NSF Event Stream 11. I2NSF Event Stream
This section discusses the NETCONF event stream for I2NSF NSF This section discusses the NETCONF event stream for I2NSF NSF
Monitoring subscription. The YANG module in this document supports Monitoring subscription. The YANG module in this document supports
"ietf-subscribed-notifications" YANG module [RFC8639] for "ietf-subscribed-notifications" YANG module [RFC8639] for
subscription. The reserved event stream name for this document is subscription. The reserved event stream name for this document is
"I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support "I2NSF-Monitoring". The NETCONF Server (e.g., an NSF) MUST support
"I2NSF-Monitoring" event stream for an NSF data collector (e.g., "I2NSF-Monitoring" event stream for an NSF data collector (e.g.,
Security Controller and NSF data analyzer). The "I2NSF-Monitoring" Security Controller and NSF data analyzer). The "I2NSF-Monitoring"
event stream contains all I2NSF events described in this document. event stream contains all I2NSF events described in this document.
The following example shows the capabilities of the event streams of The following example shows the capabilities of the event streams of
an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event streams) by the an NSF (e.g., "NETCONF" and "I2NSF-Monitoring" event streams) by the
subscription of an NSF data collector; note that this example XML subscription of an NSF data collector; note that this example XML
file is delivered by an NSF to an NSF data collector: file is delivered by an NSF to an NSF data collector:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> <rpc-reply message-id="1"
<data> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<netconf xmlns="urn:ietf:params:xml:ns:netmod:notification"> <data>
<streams> <netconf xmlns="urn:ietf:params:xml:ns:netmod:notification">
<stream> <streams>
<name>NETCONF</name> <stream>
<description>Default NETCONF Event Stream</description> <name>NETCONF</name>
<replaySupport>false</replaySupport> <description>Default NETCONF Event Stream</description>
</stream> <replaySupport>false</replaySupport>
<stream> </stream>
<name>I2NSF-Monitoring</name> <stream>
<description>I2NSF Monitoring Event Stream</description> <name>I2NSF-Monitoring</name>
<replaySupport>true</replaySupport> <description>I2NSF Monitoring Event Stream</description>
<replayLogCreationTime>2021-03-31T09:37:39+00:00</replayLogCreationTime> <replaySupport>true</replaySupport>
</stream> <replayLogCreationTime>
</streams> 2021-04-29T09:37:39+00:00
</netconf> </replayLogCreationTime>
</data> </stream>
</rpc-reply> </streams>
</netconf>
</data>
</rpc-reply>
Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring Event Figure 3: Example of NETCONF Server supporting I2NSF-Monitoring Event
Stream Stream
12. XML Examples for I2NSF NSF Monitoring 12. XML Examples for I2NSF NSF Monitoring
This section shows the XML examples of I2NSF NSF Monitoring data This section shows the XML examples of I2NSF NSF Monitoring data
delivered via Monitoring Interface from an NSF. delivered via Monitoring Interface from an NSF.
12.1. I2NSF System Detection Alarm 12.1. I2NSF System Detection Alarm
The following example shows an alarm triggered by Memory Usage of the The following example shows an alarm triggered by Memory Usage of the
server; note that this example XML file is delivered by an NSF to an server; note that this example XML file is delivered by an NSF to an
NSF data collector: NSF data collector:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
<eventTime>2021-03-31T07:43:52.181088+00:00</eventTime> <eventTime>2021-04-29T07:43:52.181088+00:00</eventTime>
<i2nsf-event xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <i2nsf-event
<i2nsf-system-detection-alarm> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring">
<alarm-category xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <i2nsf-system-detection-alarm>
nsfmi:mem-usage-alarm <alarm-category
</alarm-category> xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
<acquisition-method xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> ietf-i2nsf-nsf-monitoring">
nsfmi:subscription nsfmi:mem-usage-alarm
</acquisition-method> </alarm-category>
<emission-type xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <acquisition-method
nsfmi:on-change xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
</emission-type> ietf-i2nsf-nsf-monitoring">
<dampening-type xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> nsfmi:subscription
nsfmi:on-repetition </acquisition-method>
</dampening-type> <emission-type
<usage>91</usage> xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
<threshold>90</threshold> ietf-i2nsf-nsf-monitoring">
<message>Memory Usage Exceeded The Threshold</message> nsfmi:on-change
<nsf-name>time_based_firewall</nsf-name> </emission-type>
<severity>high</severity> <dampening-type
</i2nsf-system-detection-alarm> xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
</i2nsf-event> ietf-i2nsf-nsf-monitoring">
</notification> nsfmi:on-repetition
</dampening-type>
<usage>91</usage>
<threshold>90</threshold>
<message>Memory Usage Exceeded the Threshold</message>
<nsf-name>time_based_firewall</nsf-name>
<severity>high</severity>
</i2nsf-system-detection-alarm>
</i2nsf-event>
</notification>
Figure 4: Example of I2NSF System Detection Alarm triggered by Memory Figure 4: Example of I2NSF System Detection Alarm triggered by Memory
Usage Usage
The XML data above shows: The XML data above shows:
1. The NSF that sends the information is named 1. The NSF that sends the information is named
"time_based_firewall". "time_based_firewall".
2. The memory usage of the NSF triggered the alarm. 2. The memory usage of the NSF triggered the alarm.
skipping to change at page 76, line 12 skipping to change at page 77, line 22
8. The severity level of the notification is high. 8. The severity level of the notification is high.
12.2. I2NSF Interface Counters 12.2. I2NSF Interface Counters
To get the I2NSF system interface counters information by query, To get the I2NSF system interface counters information by query,
NETCONF Client (e.g., NSF data collector) needs to initiate GET NETCONF Client (e.g., NSF data collector) needs to initiate GET
connection with NETCONF Server (e.g., NSF). The following XML file connection with NETCONF Server (e.g., NSF). The following XML file
can be used to get the state data and filter the information. can be used to get the state data and filter the information.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<get> <get>
<filter xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <filter
<i2nsf-counters> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring">
<system-interface/> <i2nsf-counters>
</i2nsf-counters> <system-interface/>
</filter> </i2nsf-counters>
</get> </filter>
</rpc> </get>
</rpc>
Figure 5: XML Example for NETCONF GET with System Interface Filter Figure 5: XML Example for NETCONF GET with System Interface Filter
The following XML file shows the reply from the NETCONF Server (e.g., The following XML file shows the reply from the NETCONF Server (e.g.,
NSF): NSF):
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1"> <rpc-reply message-id="1"
<data> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<i2nsf-counters xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <data>
<system-interface> <i2nsf-counters
<interface-name>ens3</interface-name> xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring">
<acquisition-method xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <system-interface>
nsfmi:query <interface-name>ens3</interface-name>
</acquisition-method> <acquisition-method
<in-total-traffic-bytes>549050</in-total-traffic-bytes> xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
<out-total-traffic-bytes>814956</out-total-traffic-bytes> ietf-i2nsf-nsf-monitoring">
<in-drop-traffic-bytes>0</in-drop-traffic-bytes> nsfmi:query
<out-drop-traffic-bytes>5078</out-drop-traffic-bytes> </acquisition-method>
<nsf-name>time_based_firewall</nsf-name> <in-total-traffic-bytes>549050</in-total-traffic-bytes>
</system-interface> <out-total-traffic-bytes>814956</out-total-traffic-bytes>
<system-interface> <in-drop-traffic-bytes>0</in-drop-traffic-bytes>
<interface-name>lo</interface-name> <out-drop-traffic-bytes>5078</out-drop-traffic-bytes>
<acquisition-method xmlns:nsfmi="urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"> <nsf-name>time_based_firewall</nsf-name>
nsfmi:query </system-interface>
</acquisition-method> <system-interface>
<in-total-traffic-bytes>48487</in-total-traffic-bytes> <interface-name>lo</interface-name>
<out-total-traffic-bytes>48487</out-total-traffic-bytes> <acquisition-method
<in-drop-traffic-bytes>0</in-drop-traffic-bytes> xmlns:nsfmi="urn:ietf:params:xml:ns:yang:\
<out-drop-traffic-bytes>0</out-drop-traffic-bytes> ietf-i2nsf-nsf-monitoring">
<nsf-name>time_based_firewall</nsf-name> nsfmi:query
</system-interface> </acquisition-method>
</i2nsf-counters> <in-total-traffic-bytes>48487</in-total-traffic-bytes>
</data> <out-total-traffic-bytes>48487</out-total-traffic-bytes>
</rpc-reply> <in-drop-traffic-bytes>0</in-drop-traffic-bytes>
<out-drop-traffic-bytes>0</out-drop-traffic-bytes>
<nsf-name>time_based_firewall</nsf-name>
</system-interface>
</i2nsf-counters>
</data>
</rpc-reply>
Figure 6: Example of I2NSF System Interface Counters XML Information Figure 6: Example of I2NSF System Interface Counters XML Information
13. IANA Considerations 13. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring
Registrant Contact: The IESG. Registrant Contact: The IESG.
skipping to change at page 79, line 15 skipping to change at page 80, line 15
15. Acknowledgments 15. Acknowledgments
This work was supported by Institute of Information & Communications This work was supported by Institute of Information & Communications
Technology Planning & Evaluation (IITP) grant funded by the Korea Technology Planning & Evaluation (IITP) grant funded by the Korea
MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Security Intelligence Technology Development for the Customized Security Intelligence Technology Development for the Customized
Security Service Provisioning). This work was supported in part by Security Service Provisioning). This work was supported in part by
the IITP (2020-0-00395, Standard Development of Blockchain based the IITP (2020-0-00395, Standard Development of Blockchain based
Network Management Automation Technology). This work was supported Network Management Automation Technology). This work was supported
in part by the MSIT under the Information Technology Research Center in part by the MSIT under the Information Technology Research Center
(ITRC) support program (IITP-2020-2017-0-01633) supervised by the (ITRC) support program (IITP-2021-2017-0-01633) supervised by the
IITP. IITP.
16. Contributors 16. Contributors
This document is made by the group effort of I2NSF working group. This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document. The authors Many people actively contributed to this document. The authors
sincerely appreciate their contributions. sincerely appreciate their contributions.
The following are co-authors of this document: The following are co-authors of this document:
skipping to change at page 81, line 13 skipping to change at page 82, line 13
<https://www.rfc-editor.org/info/rfc792>. <https://www.rfc-editor.org/info/rfc792>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC0956] Mills, D., "Algorithms for synchronizing network clocks", [RFC0956] Mills, D., "Algorithms for synchronizing network clocks",
RFC 956, DOI 10.17487/RFC0956, September 1985, RFC 956, DOI 10.17487/RFC0956, September 1985,
<https://www.rfc-editor.org/info/rfc956>. <https://www.rfc-editor.org/info/rfc956>.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
<https://www.rfc-editor.org/info/rfc959>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>. <https://www.rfc-editor.org/info/rfc2616>.
skipping to change at page 83, line 29 skipping to change at page 84, line 29
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
[RFC8632] Vallin, S. and M. Bjorklund, "A YANG Data Model for Alarm
Management", RFC 8632, DOI 10.17487/RFC8632, September
2019, <https://www.rfc-editor.org/info/rfc8632>.
[RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, [RFC8639] Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard,
E., and A. Tripathy, "Subscription to YANG Notifications", E., and A. Tripathy, "Subscription to YANG Notifications",
RFC 8639, DOI 10.17487/RFC8639, September 2019, RFC 8639, DOI 10.17487/RFC8639, September 2019,
<https://www.rfc-editor.org/info/rfc8639>. <https://www.rfc-editor.org/info/rfc8639>.
[RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications
for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641,
September 2019, <https://www.rfc-editor.org/info/rfc8641>. September 2019, <https://www.rfc-editor.org/info/rfc8641>.
17.2. Informative References 17.2. Informative References
skipping to change at page 84, line 8 skipping to change at page 85, line 13
applicability-18 (work in progress), September 2019. applicability-18 (work in progress), September 2019.
[I-D.ietf-i2nsf-capability] [I-D.ietf-i2nsf-capability]
Xia, L., Strassner, J., Basile, C., and D. Lopez, Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf- "Information Model of NSFs Capabilities", draft-ietf-
i2nsf-capability-05 (work in progress), April 2019. i2nsf-capability-05 (work in progress), April 2019.
[I-D.ietf-i2nsf-consumer-facing-interface-dm] [I-D.ietf-i2nsf-consumer-facing-interface-dm]
Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares, Jeong, J., Chung, C., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft- "I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-12 (work in ietf-i2nsf-consumer-facing-interface-dm-13 (work in
progress), September 2020. progress), March 2021.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q. Kim, J., Jeong, J., J., J., PARK, P., Hares, S., and Q.
Lin, "I2NSF Network Security Function-Facing Interface Lin, "I2NSF Network Security Function-Facing Interface
YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface- YANG Data Model", draft-ietf-i2nsf-nsf-facing-interface-
dm-10 (work in progress), August 2020. dm-12 (work in progress), March 2021.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK, Hyun, S., Jeong, J., Roh, T., Wi, S., J., J., and P. PARK,
"I2NSF Registration Interface YANG Data Model", draft- "I2NSF Registration Interface YANG Data Model", draft-
ietf-i2nsf-registration-interface-dm-09 (work in ietf-i2nsf-registration-interface-dm-10 (work in
progress), August 2020. progress), February 2021.
[I-D.ietf-netconf-subscribed-notifications] [I-D.ietf-netconf-subscribed-notifications]
Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and Voit, E., Clemm, A., Prieto, A., Nilsen-Nygaard, E., and
A. Tripathy, "Subscription to YANG Event Notifications", A. Tripathy, "Subscription to YANG Event Notifications",
draft-ietf-netconf-subscribed-notifications-26 (work in draft-ietf-netconf-subscribed-notifications-26 (work in
progress), May 2019. progress), May 2019.
[I-D.ietf-netconf-yang-push] [I-D.ietf-netconf-yang-push]
Clemm, A. and E. Voit, "Subscription to YANG Datastores", Clemm, A. and E. Voit, "Subscription to YANG Datastores",
draft-ietf-netconf-yang-push-25 (work in progress), May draft-ietf-netconf-yang-push-25 (work in progress), May
2019. 2019.
[I-D.yang-i2nsf-security-policy-translation] [I-D.yang-i2nsf-security-policy-translation]
Jeong, J., Yang, J., Chung, C., and J. Kim, "Security Jeong, J., Lingga, P., Yang, J., and C. Chung, "Security
Policy Translation in Interface to Network Security Policy Translation in Interface to Network Security
Functions", draft-yang-i2nsf-security-policy- Functions", draft-yang-i2nsf-security-policy-
translation-07 (work in progress), November 2020. translation-08 (work in progress), February 2021.
Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-06 Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-07
The following changes are made from draft-ietf-i2nsf-nsf-monitoring- The following changes are made from draft-ietf-i2nsf-nsf-monitoring-
data-model-06: data-model-07:
o This version is revised according to the comments of Andy Bierman
who is a YANG doctor.
o This version updates its title as "I2NSF NSF Monitoring Interface
YANG Data Model". It clarifies the NSF Monitoring Interface to
deliver NSF monitoring data to an NSF data collector (e.g.,
Security Controller and NSF data analyzer).
o This version adds an attack destination IP address for DDoS-attack
event to provide I2NSF Analyser with more information about the
destination of DDoS-attack packets.
o This version supports a notification for monitoring traffic flows. o This version is revised according to the comments from both Tom
Petch and Andy Bierman.
Authors' Addresses Authors' Addresses
Jaehoon (Paul) Jeong (editor) Jaehoon (Paul) Jeong (editor)
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 76 change blocks. 
2368 lines changed or deleted 2393 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/